Since 2009 or so, I’ve been using and preaching about using a password manager to generate and track all of your usernames and passwords. Until some other system comes along, the only way to safeguard your user accounts is to use a complex and unique password for every one of your accounts. If hackers steals a site’s user database and can decipher your credentials for that site, they can use those credentials to log in to other sites where you use the same password. But with a password manager, it’s easy to create strong and unique passwords for each site. And should hackers ever breach a site you use, you only need to change the password for that site because all your other accounts use a different password.
Yesterday, Yahoo revealed that in 2013 hackers stole user information for about one-billion Yahoo accounts. By the way, this is a separate theft from the one the company disclosed earlier this year where thieves stole information from 500 million users in 2014.
The stolen user information includes (emphases are mine):
- email addresses
- telephone number
- date of birth
- hashed passwords
- security questions and answers
Ordinarily, I would just change my password for any Yahoo account I have. The password manager would generate and store a new unique and complex password, and it would alert me if I had other accounts on Yahoo that needed the same treatment. It turns out I have two Yahoo accounts, although I haven’t used one of them since the 2008 or so.
Because so many people use the same password for multiple sites, it’s fairly common for sites that store usernames and passwords to hash (or encode) the passwords so that thieves can’t read them and use them to log in to your accounts. Apparently, Yahoo has done this but used a hashing technique that is cryptographically broken.
However, what seems even more troubling to me is that Yahoo might not have hashed the security questions and answers that act as workarounds to access your account when you forget your password. These “security questions” are a very primitive way of verifying a user. Twenty or so years ago, when you phoned your bank, they would verify your identity using your mother’s maiden name or your date of birth. But today that seems quaint because it’s not really secure: a close friend or relative easily knows that information.
Nonetheless, many websites have used similar security questions to “safeguard” your account:
- where were you born?
- what is the name of your favorite teacher?
- what is the make of your first car?
- what is your high school’s mascot?
- what was the name of first street you lived on?
- what was your first job?
With a little detective work, someone can learn all these bits of “secure” information about you.1 As a way to strengthen this system, I use fake answers for these security questions: some are random bits of text or some are just random names. I record these in a password manager.
However, since Yahoo didn’t appear to hash those security questions and answers, instead storing them as plain text, these could be used to reset your passwords on your accounts.
If I learned something from this breach, it’s that the time has come to get rid of security questions and instead force users to use two-factor authentication.2 This requires you to enter your password and a temporary code that is either generated by an app on your mobile device or sent to you by text message.3 This provides a small safeguard because if hackers learn your credentials, they still need a code to access your account.
It’s certainly more secure than the name of your childhood pet.
- Some sites force you to choose from a list of answers. For example, United Mileage Plus asks “What is Your Favorite Sea Animal?” and offers about forty choices. United chose this method because it would prevent a hacker from logging your keystrokes and users from revealing their password in a security question. Some users need to saved from themselves. ↩
- Last year, Google found that security questions weren’t actually secure and encouraged users to use a second factor to authenticate. They are phasing them out. ↩
- Once you activate two-factor on your Apple account, you no longer authenticate with security questions. Good riddance! ↩
Originally published on Wordpress